[libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile
Daniel P. Berrangé
berrange at redhat.com
Fri Feb 15 09:19:19 UTC 2019
On Thu, Feb 14, 2019 at 02:46:22PM -0500, Laine Stump wrote:
> The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
> following:
>
> 1) lists specific services it wants to allow, then
>
> 2) uses a lower priority <reject/> rule to block all other services to
> the host, and then finally,
>
> 3) relies on the zone's default "accept" policy to, accept all
> forwarded traffic (since forwarded traffic is ignored by the
> slightly higher priority <reject/> rule in (2)).
>
> I had assumed that icmp traffic was either being allowed at the top of
> the rules, or that it would be ignored by the <reject/> rule and
> passed by the default accept policy (similar to forwarded traffic),
> but this assumption was incorrect; the <reject/> rule does block icmp
> traffic. This became apparent when DHCPv6 which requires ICMPv6 in
> addition to udp/dhcpv6) failed to work.
>
> This all means that in order to achieve our original goal of "similar
> behavior to a default reject policy, but also allowing forwarded
> traffic", we need to add rules to allow all icmp and icmpv6 traffic to
> the libvirt zone, and that's what this patch does.
>
> This is a further refinement of the resolution to
> https://bugzilla.redhat.com/1650320
>
> Signed-off-by: Laine Stump <laine at laine.org>
> ---
> src/network/libvirt.zone | 2 ++
> 1 file changed, 2 insertions(+)
Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list